SEPPmail Secure Email Gateway versions before 15.0.1 fail to communicate the outcome of PGP signature verification, making it impossible to distinguish legitimate signed messages from forged ones. This flaw in the security checking process (CWE‑347) undermines email authenticity and integrity, allowing an attacker to send emails that appear to be signed by a trusted sender while actually containing malicious content. The primary consequence is that users may unknowingly trust false messages, enabling phishing, spoofing, and social‑engineering attacks.

Affected are all deployments of SEPPmail Secure Email Gateway running any version older than 15.0.1, including the standard gateway software and its secure email component, as identified by the vendor’s product name and the associated CPEs. No later releases contain the flaw.

The CVSS score of 6.9 indicates moderate severity while the EPSS score of less than 1% shows that exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Exploitation requires the delivery of a crafted email that the gateway processes; the attacker does not need elevated privileges. Based on the description, the likely attack vector is the transmission of a malicious email to a target user. The risk is limited to the integrity of email content, but because forged messages can be used for phishing, the potential impact on users and organizations can be significant.